<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<!-- GenHTML revision 25226-->
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Securing Enterprise Information Systems Applications - The Java EE 6 Tutorial</title>
<meta name="robots" content="index,follow">
<meta name="robots" content="index,follow">
<meta name="date" content="2011-03-01">
<link rel="stylesheet" type="text/css" href="css/default.css">
<link rel="stylesheet" type="text/css" href="css/ipg.css">
<link rel="stylesheet" type="text/css" href="css/javaeetutorial.css">
</head>

<body>

<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody>
   <tr valign="top">
      <td width="400px"><p class="toc level1"><a href="docinfo.html">Document Information</a></p>
<p class="toc level1 tocsp"><a href="gexaf.html">Preface</a></p>
<p class="toc level1 tocsp"><a href="gfirp.html">Part&nbsp;I&nbsp;Introduction</a></p>
<p class="toc level2"><a href="bnaaw.html">1.&nbsp;&nbsp;Overview</a></p>
<p class="toc level2"><a href="gfiud.html">2.&nbsp;&nbsp;Using the Tutorial Examples</a></p>
<p class="toc level1 tocsp"><a href="bnadp.html">Part&nbsp;II&nbsp;The Web Tier</a></p>
<p class="toc level2"><a href="bnadr.html">3.&nbsp;&nbsp;Getting Started with Web Applications</a></p>
<p class="toc level2"><a href="bnaph.html">4.&nbsp;&nbsp;JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="giepx.html">5.&nbsp;&nbsp;Introduction to Facelets</a></p>
<p class="toc level2"><a href="gjddd.html">6.&nbsp;&nbsp;Expression Language</a></p>
<p class="toc level2"><a href="bnaqz.html">7.&nbsp;&nbsp;Using JavaServer Faces Technology in Web Pages</a></p>
<p class="toc level2"><a href="gjcut.html">8.&nbsp;&nbsp;Using Converters, Listeners, and Validators</a></p>
<p class="toc level2"><a href="bnatx.html">9.&nbsp;&nbsp;Developing with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkmaa.html">10.&nbsp;&nbsp;JavaServer Faces Technology Advanced Concepts</a></p>
<p class="toc level2"><a href="bnawo.html">11.&nbsp;&nbsp;Configuring JavaServer Faces Applications</a></p>
<p class="toc level2"><a href="gkiow.html">12.&nbsp;&nbsp;Using Ajax with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkhxa.html">13.&nbsp;&nbsp;Advanced Composite Components</a></p>
<p class="toc level2"><a href="bnavg.html">14.&nbsp;&nbsp;Creating Custom UI Components</a></p>
<p class="toc level2"><a href="bnafd.html">15.&nbsp;&nbsp;Java Servlet Technology</a></p>
<p class="toc level2"><a href="bnaxu.html">16.&nbsp;&nbsp;Internationalizing and Localizing Web Applications</a></p>
<p class="toc level1 tocsp"><a href="bnayk.html">Part&nbsp;III&nbsp;Web Services</a></p>
<p class="toc level2"><a href="gijti.html">17.&nbsp;&nbsp;Introduction to Web Services</a></p>
<p class="toc level2"><a href="bnayl.html">18.&nbsp;&nbsp;Building Web Services with JAX-WS</a></p>
<p class="toc level2"><a href="giepu.html">19.&nbsp;&nbsp;Building RESTful Web Services with JAX-RS</a></p>
<p class="toc level2"><a href="gjjxe.html">20.&nbsp;&nbsp;Advanced JAX-RS Features</a></p>
<p class="toc level2"><a href="gkojl.html">21.&nbsp;&nbsp;Running the Advanced JAX-RS Example Application</a></p>
<p class="toc level1 tocsp"><a href="bnblr.html">Part&nbsp;IV&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijsz.html">22.&nbsp;&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijre.html">23.&nbsp;&nbsp;Getting Started with Enterprise Beans</a></p>
<p class="toc level2"><a href="gijrb.html">24.&nbsp;&nbsp;Running the Enterprise Bean Examples</a></p>
<p class="toc level2"><a href="bnbpk.html">25.&nbsp;&nbsp;A Message-Driven Bean Example</a></p>
<p class="toc level2"><a href="gkcqz.html">26.&nbsp;&nbsp;Using the Embedded Enterprise Bean Container</a></p>
<p class="toc level2"><a href="gkidz.html">27.&nbsp;&nbsp;Using Asynchronous Method Invocation in Session Beans</a></p>
<p class="toc level1 tocsp"><a href="gjbnr.html">Part&nbsp;V&nbsp;Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="giwhb.html">28.&nbsp;&nbsp;Introduction to Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="gjbls.html">29.&nbsp;&nbsp;Running the Basic Contexts and Dependency Injection Examples</a></p>
<p class="toc level2"><a href="gjehi.html">30.&nbsp;&nbsp;Contexts and Dependency Injection for the Java EE Platform: Advanced Topics</a></p>
<p class="toc level2"><a href="gkhre.html">31.&nbsp;&nbsp;Running the Advanced Contexts and Dependency Injection Examples</a></p>
<p class="toc level1 tocsp"><a href="bnbpy.html">Part&nbsp;VI&nbsp;Persistence</a></p>
<p class="toc level2"><a href="bnbpz.html">32.&nbsp;&nbsp;Introduction to the Java Persistence API</a></p>
<p class="toc level2"><a href="gijst.html">33.&nbsp;&nbsp;Running the Persistence Examples</a></p>
<p class="toc level2"><a href="bnbtg.html">34.&nbsp;&nbsp;The Java Persistence Query Language</a></p>
<p class="toc level2"><a href="gjitv.html">35.&nbsp;&nbsp;Using the Criteria API to Create Queries</a></p>
<p class="toc level2"><a href="gkjiq.html">36.&nbsp;&nbsp;Creating and Using String-Based Criteria Queries</a></p>
<p class="toc level2"><a href="gkjjf.html">37.&nbsp;&nbsp;Controlling Concurrent Access to Entity Data with Locking</a></p>
<p class="toc level2"><a href="gkjia.html">38.&nbsp;&nbsp;Improving the Performance of Java Persistence API Applications By Setting a Second-Level Cache</a></p>
<p class="toc level1 tocsp"><a href="gijrp.html">Part&nbsp;VII&nbsp;Security</a></p>
<p class="toc level2"><a href="bnbwj.html">39.&nbsp;&nbsp;Introduction to Security in the Java EE Platform</a></p>
<p class="toc level2"><a href="bncas.html">40.&nbsp;&nbsp;Getting Started Securing Web Applications</a></p>
<p class="toc level2"><a href="bnbyk.html">41.&nbsp;&nbsp;Getting Started Securing Enterprise Applications</a></p>
<p class="toc level3"><a href="bnbyl.html">Securing Enterprise Beans</a></p>
<p class="toc level4"><a href="bnbyl.html#gjgdi">Securing an Enterprise Bean Using Declarative Security</a></p>
<p class="toc level5"><a href="bnbyl.html#gjgcq">Specifying Authorized Users by Declaring Security Roles</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbyu">Specifying an Authentication Mechanism and Secure Connection</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#gjgcs">Securing an Enterprise Bean Programmatically</a></p>
<p class="toc level5"><a href="bnbyl.html#gjgcr">Accessing an Enterprise Bean Caller's Security Context</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#bnbyr">Propagating a Security Identity (Run-As)</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbzb">Configuring a Component's Propagated Security Identity</a></p>
<p class="toc level5"><a href="bnbyl.html#bnbzc">Trust between Containers</a></p>
<p class="toc level4 tocsp"><a href="bnbyl.html#bnbzg">Deploying Secure Enterprise Beans</a></p>
<p class="toc level3 tocsp"><a href="gkbsz.html">Examples: Securing Enterprise Beans</a></p>
<p class="toc level4"><a href="gkbsz.html#bnbzk">Example: Securing an Enterprise Bean with Declarative Security</a></p>
<p class="toc level5"><a href="gkbsz.html#bnbzl">Annotating the Bean</a></p>
<p class="toc level5"><a href="gkbsz.html#bnbzn">To Build, Package, Deploy, and Run the Secure Cart Example Using NetBeans IDE</a></p>
<p class="toc level5"><a href="gkbsz.html#bnbzo">To Build, Package, Deploy, and Run the Secure Cart Example Using Ant</a></p>
<p class="toc level4 tocsp"><a href="gkbsz.html#bncaa">Example: Securing an Enterprise Bean with Programmatic Security</a></p>
<p class="toc level5"><a href="gkbsz.html#bncab">Modifying <tt>ConverterBean</tt></a></p>
<p class="toc level5"><a href="gkbsz.html#gkbsi">Modifying <tt>ConverterServlet</tt></a></p>
<p class="toc level5"><a href="gkbsz.html#bncad">To Build, Package, and Deploy the Secure Converter Example Using NetBeans IDE</a></p>
<p class="toc level5"><a href="gkbsz.html#bncae">To Build, Package, and Deploy the Secure Converter Example Using Ant</a></p>
<p class="toc level5"><a href="gkbsz.html#gjtdp">To Run the Secure Converter Example</a></p>
<p class="toc level3 tocsp"><a href="bncah.html">Securing Application Clients</a></p>
<p class="toc level4"><a href="bncah.html#bncai">Using Login Modules</a></p>
<p class="toc level4"><a href="bncah.html#bncaj">Using Programmatic Login</a></p>
<div id="scrolltoc" class="onpage">
<p class="toc level3 tocsp"><a href="">Securing Enterprise Information Systems Applications</a></p>
<p class="toc level4"><a href="#bncam">Container-Managed Sign-On</a></p>
<p class="toc level4"><a href="#bncan">Component-Managed Sign-On</a></p>
<p class="toc level4"><a href="#bncao">Configuring Resource Adapter Security</a></p>
<p class="toc level4"><a href="#bncap">To Map an Application Principal to EIS Principals</a></p>
</div>
<p class="toc level1 tocsp"><a href="gijue.html">Part&nbsp;VIII&nbsp;Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="gijto.html">42.&nbsp;&nbsp;Introduction to Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="bncih.html">43.&nbsp;&nbsp;Transactions</a></p>
<p class="toc level2"><a href="bncjh.html">44.&nbsp;&nbsp;Resource Connections</a></p>
<p class="toc level2"><a href="bncdq.html">45.&nbsp;&nbsp;Java Message Service Concepts</a></p>
<p class="toc level2"><a href="bncgv.html">46.&nbsp;&nbsp;Java Message Service Examples</a></p>
<p class="toc level2"><a href="gkahp.html">47.&nbsp;&nbsp;Advanced Bean Validation Concepts and Examples</a></p>
<p class="toc level2"><a href="gkeed.html">48.&nbsp;&nbsp;Using Java EE Interceptors</a></p>
<p class="toc level1 tocsp"><a href="gkgjw.html">Part&nbsp;IX&nbsp;Case Studies</a></p>
<p class="toc level2"><a href="gkaee.html">49.&nbsp;&nbsp;Duke's Tutoring Case Study Example</a></p>
<p class="toc level1 tocsp"><a href="idx-1.html">Index</a></p>
</td>
      <td width="10px">&nbsp;</td>
      <td>
         <div class="header">
             <div class="banner">
                <table width="100%" border="0" cellpadding="5" cellspacing="0">
                   <tbody>
                      <tr>
                         <td valign="bottom"><p class="Banner">The Java EE 6 Tutorial
</p></td>
                         <td align="right"  valign="bottom"><img src="graphics/javalogo.png" alt="Java Coffee Cup logo"></td>
                      </tr>
                   </tbody>
                </table>
             </div>

             <div class="header-links">
	         <a href="./index.html">Home</a> | 
<a href="../information/download.html">Download</a> | 
<a href="./javaeetutorial6.pdf">PDF</a> | 
<a href="../information/faq.html">FAQ</a> | 
<a href="http://download.oracle.com/javaee/feedback.htm">Feedback</a>

             </div>
             <div class="navigation">
                 <a href="bncah.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
                 <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
                 <a href="gijue.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
             </div>
         </div>

	 <div class="maincontent">      	 
             

<a name="bncal"></a><h2>Securing Enterprise Information Systems Applications</h2>
<a name="indexterm-2176"></a><a name="indexterm-2177"></a><p>In EIS applications, components request a connection to an EIS resource. As part
of this connection, the EIS can require a sign-on for the requester to
access the resource. The application component provider has two choices for the design
of the EIS sign-on:</p>


<ul><li><p><a name="indexterm-2178"></a><a name="indexterm-2179"></a><b>Container-managed sign-on</b>: The application component lets the container take the responsibility of configuring and managing the EIS sign-on. The container determines the user name and password for establishing a connection to an EIS instance. For more information, see <a href="#bncam">Container-Managed Sign-On</a>.</p>

</li>
<li><p><a name="indexterm-2180"></a><a name="indexterm-2181"></a><b>Component-managed sign-on</b>: The application component code manages EIS sign-on by including code that performs the sign-on process to an EIS. For more information, see <a href="#bncan">Component-Managed Sign-On</a>.</p>

</li></ul>
<p>You can also configure security for resource adapters. See <a href="#bncao">Configuring Resource Adapter Security</a> for more
information.</p>



<a name="bncam"></a><h3>Container-Managed Sign-On</h3>
<a name="indexterm-2182"></a><a name="indexterm-2183"></a><a name="indexterm-2184"></a><p>In container-managed sign-on, an application component does not have to pass any sign-on
security information to the <tt>getConnection()</tt> method. The security information is supplied by the
container, as shown in the following example:</p>

<pre>// Business method in an application component
Context initctx = new InitialContext();
// Perform JNDI lookup to obtain a connection factory
javax.resource.cci.ConnectionFactory cxf =
    (javax.resource.cci.ConnectionFactory)initctx.lookup(
    "java:comp/env/eis/MainframeCxFactory");
// Invoke factory to obtain a connection. The security
// information is not passed in the getConnection method
javax.resource.cci.Connection cx = cxf.<b>getConnection()</b>;
...</pre>

<a name="bncan"></a><h3>Component-Managed Sign-On</h3>
<a name="indexterm-2185"></a><a name="indexterm-2186"></a><a name="indexterm-2187"></a><p>In component-managed sign-on, an application component is responsible for passing the needed sign-on
security information to the resource to the <tt>getConnection</tt> method. For example, security
information might be a user name and password, as shown here:</p>

<pre>// Method in an application component
Context initctx = new InitialContext();

// Perform JNDI lookup to obtain a connection factory
javax.resource.cci.ConnectionFactory cxf =
    (javax.resource.cci.ConnectionFactory)initctx.lookup(
    "java:comp/env/eis/MainframeCxFactory");

// Get a new ConnectionSpec
com.myeis.ConnectionSpecImpl properties = //..

// Invoke factory to obtain a connection
properties.setUserName("...");
properties.setPassword("...");
javax.resource.cci.Connection cx =
    cxf.<b>getConnection(properties)</b>;
...</pre>

<a name="bncao"></a><h3>Configuring Resource Adapter Security</h3>
<a name="indexterm-2188"></a><a name="indexterm-2189"></a><p>A resource adapter is a system-level software component that typically implements network connectivity
to an external resource manager. A resource adapter can extend the functionality of
the Java EE platform either by implementing one of the Java EE standard
service APIs, such as a JDBC driver, or by defining and implementing a
resource adapter for a connector to an external application system. Resource adapters can
also provide services that are entirely local, perhaps interacting with native resources. Resource
adapters interface with the Java EE platform through the Java EE service provider
interfaces (Java EE SPI). A resource adapter that uses the Java EE SPIs
to attach to the Java EE platform will be able to work with
all Java EE products.</p>

<p>To configure the security settings for a resource adapter, you need to edit
the resource adapter descriptor file, <tt>ra.xml</tt>. Here is an example of the part
of an <tt>ra.xml</tt> file that configures the following security properties for a resource
adapter:</p>

<pre>&lt;authentication-mechanism>
    &lt;authentication-mechanism-type>
        BasicPassword
    &lt;/authentication-mechanism-type>
    &lt;credential-interface>
        javax.resource.spi.security.PasswordCredential
    &lt;/credential-interface>
&lt;/authentication-mechanism>
&lt;reauthentication-support>false&lt;/reauthentication-support></pre><p>You can find out more about the options for configuring resource adapter security
by reviewing <tt></tt><i>as-install</i><tt>/lib/dtds/connector_1_0.dtd</tt>. You can configure the following elements in the resource adapter
deployment descriptor file:</p>


<ul><li><p><b>Authentication mechanisms</b>: Use the <tt>authentication-mechanism</tt> element to specify an authentication mechanism supported by the resource adapter. This support is for the resource adapter, not for the underlying EIS instance.</p>

<p>There are two supported mechanism types:</p>


<ul><li><p><tt>BasicPassword</tt>, which supports the following interface:</p>

<pre>javax.resource.spi.security.PasswordCredential</pre></li>
<li><p><tt>Kerbv5</tt>, which supports the following interface:</p>

<pre>javax.resource.spi.security.GenericCredential</pre><p>The GlassFish Server does not currently support this mechanism type.</p>

</li></ul>
</li>
<li><p><b>Reauthentication support</b>: Use the <tt>reauthentication-support</tt> element to specify whether the resource adapter implementation supports reauthentication of existing <tt>Managed-Connection</tt> instances. Options are <tt>true</tt> or <tt>false</tt>.</p>

</li>
<li><p><b>Security permissions</b>: Use the <tt>security-permission</tt> element to specify a security permission that is required by the resource adapter code. Support for security permissions is optional and is not supported in the current release of the GlassFish Server. You can, however, manually update the <tt>server.policy</tt> file to add the relevant permissions for the resource adapter.</p>

<p>The security permissions listed in the deployment descriptor are different from those required by the default permission set as specified in the connector specification.</p>

<p>For more information on the implementation of the security permission specification, visit <a href="http://download.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html#FileSyntax">http://download.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html#FileSyntax</a>.</p>

</li></ul>
<p>In addition to specifying resource adapter security in the <tt>ra.xml</tt> file, you
can create a security map for a connector connection pool to map an
application principal or a user group to a back-end EIS principal. The security
map is usually used if one or more EIS back-end principals are used
to execute operations (on the EIS) initiated by various principals or user groups
in the application.</p>



<a name="bncap"></a><h3>To Map an Application Principal to EIS Principals</h3><p>When using the GlassFish Server, you can use security maps to map
the caller identity of the application (principal or user group) to a suitable
EIS principal in container-managed transaction-based scenarios. When an application principal initiates a request to
an EIS, the GlassFish Server first checks for an exact principal by using
the security map defined for the connector connection pool to determine the mapped
back-end EIS principal. If there is no exact match, the GlassFish Server uses
the wildcard character specification, if any, to determine the mapped back-end EIS principal.
Security maps are used when an application user needs to execute EIS operations
that require to be executed as a specific identity in the EIS.</p>

<p>To work with security maps, use the Administration Console. From the Administration
Console, follow these steps to get to the security maps page.</p>

<ol>
<li><b>In the navigation tree, expand the Resources node.</b></li>
<li><b>Expand the Connectors node.</b></li>
<li><b>Select the Connector Connection Pools node.</b></li>
<li><b>On the Connector Connection Pools page, click the name of the connection pool
for which you want to create a security map.</b></li>
<li><b>Click the Security Maps tab.</b></li>
<li><b>Click New to create a new security map for the connection pool.</b></li>
<li><b>Type a name by which you will refer to the security map,
as well as the other required information.</b><p>Click the Help button for more information on the individual options.</p></li></ol>
         </div>
         <div class="navigation">
             <a href="bncah.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
             <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
             <a href="gijue.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
         </div>

         <div class="copyright">
      	    <p>Copyright &copy; 2011, Oracle and/or its affiliates. All rights reserved. <a href="docinfo.html">Legal Notices</a></p>
      	 </div>

      </td>
   </tr>
</tbody>
</table>
</body>
</html>

